Ransomware Attack - What is it and How Does it Work? - Check Point Software (2024)

Why Are Ransomware Attacks Emerging?

The modern ransomware craze began with the WannaCry outbreak of 2017. This large-scale and highly-publicized attack demonstrated that ransomware attacks were possible and potentially profitable. Since then, dozens of ransomware variants have been developed and used in a variety of attacks.

The COVID-19 pandemic also contributed to the recent surge in ransomware. As organizations rapidly pivoted to remote work, gaps were created in their cyber defenses. Cybercriminals have exploited these vulnerabilities to deliver ransomware, resulting in a surge of ransomware attacks.

In an age dominated by digital risks, a staggering 71% of companies have encountered ransomware attacks, resulting in an average financial loss of $4.35 million per incident.

In the year 2023 alone, attempted ransomware attacks have targeted 10% of organizations globally. This marks a notable rise from the 7% of organizations facing similar threats in the previous year, representing the highest rate recorded in recent years.

How Ransomware Works

In order to be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the victim.
While the implementation details vary from one ransomware variant to another, all share the same core three stages

• Step 1. Infection and Distribution Vectors

Ransomware, like any malware, can gain access to an organization’s systems in a number of different ways. However, ransomware operators tend to prefer a few specific infection vectors.

One of these is phishing emails. A malicious email may contain a link to a website hosting a malicious download or an attachment that has downloader functionality built in. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.

Another popular ransomware infection vector takes advantage of services such as the Remote Desktop Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee’s login credentials can use them to authenticate to and remotely access a computer within the enterprise network. With this access, the attacker can directly download the malware and execute it on the machine under their control.

Others may attempt to infect systems directly, like how WannaCry exploited the EternalBlue vulnerability. Most ransomware variants have multiple infection vectors.

• Step 2. Data Encryption

After ransomware has gained access to a system, it can begin encrypting its files. Since encryption functionality is built into an operating system, this simply involves accessing files, encrypting them with an attacker-controlled key, and replacing the originals with the encrypted versions. Most ransomware variants are cautious in their selection of files to encrypt to ensure system stability. Some variants will also take steps to delete backup and shadow copies of files to make recovery without the decryption key more difficult.

• Step 3. Ransom Demand

Once file encryption is complete, the ransomware is prepared to make a ransom demand. Different ransomware variants implement this in numerous ways, but it is not uncommon to have a display background changed to a ransom note or text files placed in each encrypted directory containing the ransom note. Typically, these notes demand a set amount of cryptocurrency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator will either provide a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryptor program (also provided by the cybercriminal) that can use it to reverse the encryption and restore access to the user’s files.

While these three core steps exist in all ransomware variants, different ransomware can include different implementations or additional steps. For example, ransomware variants like Maze perform files scanning, registry information, and data theft before data encryption, and the WannaCry ransomware scans for other vulnerable devices to infect and encrypt.

Types of Ransomware Attacks

Ransomware has evolved significantly over the past few years. Some important types of ransomware and related threats include:

• Double Extortion: Double-extortion ransomware like Maze combines data encryption with data theft. This technique was developed in response to organizations refusing to pay ransoms and restoring from backups instead. By stealing an organization’s data as well, the cybercriminals could threaten to leak it if the victim doesn’t pay up.
• Triple Extortion: Triple extortion ransomware adds a third extortion technique to double extortion. Often, this includes demanding a ransom from the victim’s customers or partners or performing a distributed denial-of-service (DDoS) attack against the company as well.
• Locker Ransomware: Locker ransomware is ransomware that doesn’t encrypt the files on the victim’s machine. Instead, it locks the computer — rendering it unusable to the victim — until the ransom has been paid.
• Crypto Ransomware: Crypto ransomware is another name for ransomware that underscores the fact that ransomware payments are commonly paid in cryptocurrency. The reason for this is that cryptocurrencies are digital currencies that are more difficult to track since they’re not managed by the traditional financial system.
• Wiper: Wipers are a form of malware that is related to but distinct from ransomware. While they may use the same encryption techniques, the goal is to permanently deny access to the encrypted files, which may include deleting the only copy of the encryption key.
• Ransomware as a Service (RaaS): RaaS is a malware distribution model in which ransomware gangs provide “affiliates” with access to their malware. These affiliates infect targets with the malware and split any ransom payments with the ransomware developers.
• Data-Stealing Ransomware: Some ransomware variants have focused on data theft, abandoning data encryption entirely. One reason for this is that encryption can be time-consuming and easily detectable, providing an organization with an opportunity to terminate the infection and protect some files from encryption.

Popular Ransomware Variants

Dozens of ransomware variants exist, each with its own unique characteristics. However, some ransomware groups have been more prolific and successful than others, making them stand out from the crowd.

1. Ryuk

Ryuk is an example of a very targeted ransomware variant. It is commonly delivered via spear phishing emails or by using compromised user credentials to log into enterprise systems using the Remote Desktop Protocol (RDP). Once a system is infected, Ryuk encrypts certain types of files (avoiding those crucial to a computer’s operation), then presents a ransom demand.

Ryuk is well-known as one of the most expensive types of ransomware in existence. Ryuk demands ransoms that average over $1 million. As a result, the cybercriminals behind Ryuk primarily focus on enterprises that have the resources necessary to meet their demands.

2. Maze

The Maze ransomware is famous for being the first ransomware variant to combine file encryption and data theft. When targets started refusing to pay ransoms, Maze began collecting sensitive data from victims’ computers before encrypting it. If the ransom demands were not met, this data would be publicly exposed or sold to the highest bidder. The potential for an expensive data breach was used as additional incentive to pay up.

The group behind the Maze ransomware has officially ended its operations. However, this does not mean that the threat of ransomware has been reduced. Some Maze affiliates have transitioned to using the Egregor ransomware, and the Egregor, Maze, and Sekhmet variants are believed to have a common source.

3.REvil (Sodinokibi)

The REvil group (also known as Sodinokibi ) is another ransomware variant that targets large organizations.

REvil is one of the most well-known ransomware families on the net. The ransomware group, which has been operated by the Russian-speaking REvil group since 2019, has been responsible for many big breaches such as ‘Kaseya‘ and ‘JBS’

It has competed with Ryuk over the last several years for the title of the most expensive ransomware variant. REvil is known to have demanded $800,000 ransom payments.

While REvil began as a traditional ransomware variant, it has evolved over time-
They are using the Double Extortion technique- to steal data from businesses while also encrypting the files. This means that, in addition to demanding a ransom to decrypt data, attackers might threaten to release the stolen data if a second payment is not made.

4. Lockbit

LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS). This piece of ransomware was developed to encrypt large organizations rapidly as a way of preventing its detection quickly by security appliances and IT/SOC teams.

5. DearCry

In March 2021, Microsoft released patches for four vulnerabilities within Microsoft Exchange servers. DearCry is a new ransomware variant designed to take advantage of four recently disclosed vulnerabilities in Microsoft Exchange

The DearCry ransomware encrypts certain types of files. Once the encryption is finished, DearCry will show a ransom message instructing users to send an email to the ransomware operators in order to learn how to decrypt their files.

6. Lapsus$

Lapsus$ is a South American ransomware gang that has been linked to cyberattacks on some high-profile targets. The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims aren’t made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others. The group uses stolen source code to disguise malware files as trustworthy.

How Does Ransomware Affect Businesses?

A successful ransomware attack can have various impacts on a business. Some of the most common risks include:

• Financial Losses: Ransomware attacks are designed to force their victims to pay a ransom. Additionally, companies can lose money due to the costs of remediating the infection, lost business, and potential legal fees.
• Data Loss: Some ransomware attacks encrypt data as part of their extortion efforts. Often, this can result in data loss, even if the company pays the ransom and receives a decryptor.
• Data Breach: Ransomware groups are increasingly pivoting to double or triple extortion attacks. These attacks incorporate data theft and potential exposure alongside data encryption.
• Downtime: Ransomware encrypts critical data, and triple extortion attacks may incorporate DDoS attacks. Both of these have the potential to cause operational downtime for an organization.
• Brand Damage: Ransomware attacks can harm an organization’s reputation with customers and partners. This is especially true if customer data is breached or they receive ransom demands as well.
• Legal and Regulatory Penalties: Ransomware attacks may be enabled by security negligence and may include the breach of sensitive data. This may open up a company to lawsuits or penalties being levied by regulators.

Common Ransomware Target Industries

Ransomware can target any company across all industry verticals. However, ransomware is commonly deployed as part of a cybercrime campaign, which is often targeted at a particular industry. The top five ransomware target industries in 2023 include:

• Education/Research: The Education/Research sector experienced 2046 ransomware attacks in 2023, a 12% drop from the previous year.
• Government/Military: Government and military organizations were the second most targeted industry with 1598 attacks and a 4% decrease from 2022.
• Healthcare: Healthcare experienced 1500 attacks and a 3% increase, which is particularly concerning due to the sensitive data and critical services that it provides.
• Communications: Communications organizations experienced an 8% growth in 2023, totaling 1493 known attacks.
• ISP/MSPs: ISPs and MSPs — a common ransomware target due to their potential for supply chain attacks — experienced 1286 ransomware attacks in 2023, a 6% decrease.

How to Protect Against Ransomware

• Utilize Best Practices

Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following best practices can reduce an organization’s exposure to ransomware and minimize its impacts:

1. Cyber Awareness Training and Education: Ransomware is often spread using phishing emails. Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.
2. Continuous data backups: Ransomware’s definition says that it is malware designed to make it so that paying a ransom is the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.
3. Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
4. User Authentication: Accessing services like RDP with stolen user credentials is a favorite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password

• Reduce the Attack Surface

With the high potential cost of a ransomware infection, prevention is the best ransomware mitigation strategy. This can be achieved by reducing the attack surface by addressing:

1. Phishing Messages
2. Unpatched Vulnerabilities
3. Remote Access Solutions
4. Mobile Malware

• Deploy Anti-Ransomware Solution

The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Anti-ransomware solutions are built to identify those fingerprints. Common characteristics of a good anti-ransomware solution include:

• Wide variant detection
• Fast detection
• Automatic restoration
• Restoration mechanism not based on common built-in tools (like ‘Shadow Copy’, which is targeted by some ransomware variants)

How to Remove Ransomware?

A ransom message is not something anyone wants to see on their computer as it reveals that a ransomware infection was successful. At this point, some steps can be taken to respond to an active ransomware infection, and an organization must make the choice of whether or not to pay the ransom.

• How to Mitigate an Active Ransomware Infection

Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen. At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:

1. Quarantine the Machine: Some ransomware variants will try to spread to connected drives and other machines. Limit the spread of the malware by removing access to other potential targets.
2. Leave the Computer On: Encryption of files may make a computer unstable, and powering off a computer can result in loss of volatile memory. Keep the computer on to maximize the probability of recovery.
3. Create a Backup: Decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
4. Check for Decryptors: Check with the No More Ransom Project to see if a free decryptor is available. If so, run it on a copy of the encrypted data to see if it can restore the files.
5. Ask For Help: Computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
6. Wipe and Restore: Restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device

How Can Check Point Help

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.

Harmony Endpoint, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. Harmony Endpoint delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.